(This is used to request new product features, please visit https://discuss.istio.io for questions on using Istio)

Describe the feature request

It is good practice to Restrict a Container's Syscalls with seccomp. To do this one sets the seccompProfile field on the Pod's securityContext. Most container runtimes provide a sane set of default syscalls that are allowed or not, and these can be called using RuntimeDefault.

I'd propose that Istio should set the RuntimeDefault for all pods it creates (istiod being the one I'm especially interested in).
It should also allow over-riding the securityContext of every pod and container it creates.

Describe alternatives you've considered

You could just make the securityContexts configurable.

Affected product area (please put an X in all that apply)

[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[x] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

Affected features (please put an X in all that apply)

[ ] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane

Additional context